How Malware Dodges Detection

By:  |  Category: Blog, Security Friday, March 2nd, 2018  |  No Comments
malware

Detecting malware is a tricky business because it’s whole design is elusive.

One of the main identifiers of advanced malware is its strategic use of evasion to avoid being caught. In addition to defeating signature-based detection products and behavior-based detection tools, there are hundreds of evasion techniques advanced malware uses to avoid detection. In addition, a malware object will typically deploy multiple tactics.

While there are numerous specific tactics to evade detection, according to SonicWALL, here are a few of the main ones:

Stalling Delays

In this instance, the malware remains idle to defeat timer-based recognition. Most virtualized sandboxes can detect if malware calls the OS sleep function, but they can’t spot evasion if the malware performs the delay internally without calling the OS. Full CPU emulations, “bare-metal” detect these behaviors with unrivaled accuracy. This is very effective against a well-known competitor.

Action-Required Delays

This tactic delays malicious activity pending a specific user action (e.g., mouse click, open or close a file or app). Most virtualized sandboxes will not detect malware waiting on user action.

Intelligent Suspension of Malware

Unlike simple stalling techniques, this category includes sophisticated evasion techniques that discover the presence of a sandbox and suspend malicious actions to avoid detection. Malware waits until it has completed penetration of the host or machine before injecting, modifying or downloading code; decrypting files; moving laterally across network; or connecting to C2 servers.

Fragmentation

This tactic splits malware into fragments, which only execute when reassembled by the targeted system. As virtualized sandboxes typically evaluate fragments separately, each fragment appears harmless, thus evading detection.

Return-Oriented Programming (ROP)

An ROP evasion tactic modifies the stack (memory addresses of code to be executed next), thus injecting functionality without altering the actual code. ROP evasions delegate the execution of its malicious code to other programs, instead of the malware program, thereby hiding it from conventional detection.

Rootkits

A rootkit is an application (or set of applications) that hides malicious code in the lower OS layers. Most virtualized sandboxes do not monitor what an OS does with calls from applications, so the malicious actions performed by a rootkit will generally go undetected.

Because of the increased focus on developing evasion tactics for malware, organizations should apply a multi-engine approach to analyzing suspicious code, especially to find and stop ransomware and credential theft.

If you need assistance with a robust cybersecurity solution, give EnhnacedTECH a call at 714-970-9330 or contact us at [email protected]

Which Employee Will Most Likely Expose Your Business to Risk?

Samantha Keller

Samantha Keller

Director of Marketing and PR at EnhancedTECH
Samantha Keller (AKA Sam) is a published author, tech-blogger, event-planner and mother of three fabulous humans. Samantha has worked in the IT field for the last fifteen years, intertwining a freelance writing career along with technology sales, events and marketing. She began working for EnhancedTECH ten years ago after earning her Bachelor’s degree from UCLA and attending Fuller Seminary. She is a lover of kickboxing, extra-strong coffee, and Wolfpack football.Her regular blog columns feature upcoming tech trends, cybersecurity tips, and practical solutions geared towards enhancing your business through technology.
Samantha Keller

Latest posts by Samantha Keller (see all)

Leave a Comment
Read previous post:
Fancy Bear
Fancy Bear Strikes Again-Hacks into German Government

Governments may be forced to go back to pen and paper in the near future just to protect their classified...

Close